1

Binding keys to programs using Intel SGX remote attestation

Mark D. Ryan

London Crypto Day

22 September 2017

2

Intel SGX

Intel SGX is a set of processor instructions which allow one:● To set up an enclave (code & memory) such that

the code runs in a way that it and its memory are protected from interference from the OS and other software

● To securely report the state of the enclave, locally and remotely

Present on all (major) Intel processors from Skylake (2015) onwards

3

Not the first hardware security anchor

ARM TrustZone

● ARM processors have two execution modes, with hardware-enforced access control between them:

– “Normal world”Runs the rich OS (e.g., Android) and apps

– “Secure world”Runs security-critical code.

Trusted platform module (TPM)

● Version 1 (2004), 1.2 (2008), 2.0 (2014-)

● Separate chip soldered to motherboard

● API that allows you to create keys whose secret part never leaves the TPM

– A key can be locked to “authdata” (like a password to use the key)

– And/or can be locked to PCR values, which “measure” the boot sequence

Best known use: Microsoft Bitlocker

4

Intel SGX: attacks addressed

An enclave within an app is protected from interference from other software, including the OS and VMM. Note that enclaves can only run in ring 3 (user space).

5

Intel SGX: attacks not addressed

● Side-channel attacksCache and page access patterns– Extraction of RSA secret keys, under assumptions,

by co-located [enclave] processes

– Programmer is expected to mitigate this attack

● Hardware attacks– Chip decapsulation

– Trojan hardware: vulnerabilities possibly introduced in the supply chain

6

Intel SGX

Well suited for:

● Cloud computing (“reverse DRM”), in which your device sends data to a cloud server, and you want to impose restrictions on how it is processed

Not suited for:

● Applications that involve I/O on the platform

– Password managers

– Banking apps

Partly suited for:

● DRM, where a server delivers content to your device, along with restrictions on how you use it

7

Cloud userdata d

Cloud serverprogram P

data d’

Decrypt {d}k

apply P to d, d’update d’

Encrypt P(d, d’)

Bob cannot access d except by applying P to it and returning that to Alice.

In general, Bob does not know d, d’ or k, k’Bob does know P

{d}k

{P(d,d’)}k’

Example: confidentiality from the cloud provider

8

Userkey k

sensitive data d1, d

2, ...

Service Provider Blockchainchain hash h

enters into blockchainnew chain hash h’

“SGX enclave”key k

chain hash h

Verifies h, π, ρ Decrypts e

{d1}

k

e = {d156

}k

Advert: “accountable decryption”Escrow with accountability: whenever it decrypts, SP creates evidence which cannot be suppressed or discarded.

Use case: user uploads her encrypted location continually;SP decrypts it only when she reports lost phone.

{d2}

k

{d3}

k

.:

h’, π:e∈h’

ρ:h<h’e, h’, π, ρ

deck(e)

9

Other approaches to solving the “confidentiality from the cloud provider” problem

Crypto

● Fully homomorphic encryption

● Functional encryption

● Order-preserving encryption

● Multi-party computation

● White-box crypto

● Indistinguishability obfuscation

Challenges

● Restrictions on the program P

● Use-case restrictions

● Performance

Hardware

● TPM & Intel TXT

● ARM Trustzone

Challenges

● Requirement to trust HW design and implementation

● Size of TCB

● Business model

● Documentation

10

Intel SGX concepts

Protected memory● Enclave Page Cache (EPC), access control, MEE

Enclave● “SGX enclave control structure” (SECS)

– Core data about the enclave, held in a dedicated EPC page.

● Life cycle of an enclave

– Creation / loading / initialisation (aka launching) / teardown

11

Intel SGX concepts

Enclave measurement● An enclave measurement (noted MRENCLAVE) is a hash of its

code and initial data

Enclave identity● MRENCLAVE: Its measurement is the strictest way to identify an

enclave.

● MRSIGNER: An “enclave certificate” is a more flexible way to identify an enclave. The certificate is signed by the “independent software vendor” (ISV), and includes ISVPRODID and ISVSVN.

– Allows data migration from old security versions to new ones.

12

Intel SGX concepts

As well as processor instructions...● ECREATE, EADD, EEXTEND, EINIT, … : managing the

enclave life cycle

● EGETKEY, EREPORT, … : managing data within an enclave.

… there are Intel-provided enclaves● Launch enclave

● Provisioning enclave

● Quoting enclave

13

Intel SGX secret values

Some secret values are built into the platform.

Known to the processor and to Intel:● SGX Master derivation key

– Derived from provisioning secret

Known to the processor (but not to Intel)● Seal secret (also known as SEAL_FUSES)● OWNER_EPOCH

SKIP

14

Setting up an enclave

● System software uses ECREATE to set up the initial memory page allocated to the enclave, which contains the SGX Enclave Control Structure (SECS)

● It uses EADD to allocate further pages containing enclave code and initial data

● It uses EEXTEND to update the enclave’s ‘measurement’

● After loading the initial code and data pages into the enclave, the system uses a ‘Launch Enclave’ (LE) to obtain an EINIT token

– The token is provided to the EINIT instruction to initialise the enclave

– LE is a privileged enclave provided (e.g.) by Intel, signed by and Intel private key

SKIP

15

Initialising an enclave (more detail)

Untrusted system software sets up SECS and the enclave certificate SIGSTRUCT

A launch enclave

● checks the enclave certificate SIGSTRUCT against SECS

● checks the “launch policy”

● produces EINITTOKEN

● Produces the EINITTOKEN MAC using a launch key obtained using EGETKEY

The processor instruction EINIT checks EINITTOKEN and initialises the enclave

SECS MRENCLAVE MRSIGNER ATTRIBUTES - DEBUG - XFRM ISVPRODID ISVSVN

SIGSTRUCT ENCLAVEHOST VENDOR ATTRIBUTES ATTRIBUTEMASK ISVPRODID ISVSVN signature

EINITTOKEN MRENCLAVE MRSIGNER ATTRIBUTES launch enclave info MAC

SKIP

16

What an enclave can do

● Computations● Access its own [encrypted] memory● Access app memory● Communicate with user, but insecurely● Communicate with another party, which can be secure if the enclave

shares a key with the other party● Attest its identity (a hash of its binary and initial data) to another party● “Seal” data, i.e. encrypt data with a key that only it can access, for

persistent storage– Can use Platform Service Enclave (PSE) for trusted time and

monotonic counter● Teardown

Enclave

MemoryApp

17

Seal keys obtained using EGETKEYKey request KEYNAME e.g. seal key, report key, provisioning key

KEYIDKEYPOLICY MRENCLAVE and/or MRSIGNERATTRIBUTEMASKISVSVN must be ≤ the caller’s ISVSVNCPUSVN must be ≤ the calling platform’s CPUSVN

AES-CMACSGX Master

Derivation key(known to Intel)

128-bit key

MRENCLAVEdep. on KEYPOLICY

MRSIGNERdep. on KEYPOLICY

MASKEDATTRIBUTES

OWNEREPOCHset by platform owner

SEALFUSESnot known to Intel

KEYID

ISVPRODID KEYNAME ISVSVN CPUSVN

KDF

18

Migrating data between enclaves

● Same platform, same enclave (just a different instance):

– Sealed blob can migrate.

● Same platform, different enclave:

– If it’s a newer security version of the same ISVPRODID, and the KEYPOLICY is set to MRSIGNER, then the sealed blob can be migrated.

– More generally, the EREPORT mechanism can be used to set up a secure channel between two arbitrary enclaves on the same platform

● Different platform, same or different enclave:

– Need remote attestation.

SKIP

19

Remote attestation

● How can a remote party know that it is talking to a given enclave?

– An enclave is identified by MRENCLAVE [strict] or by MRSIGNER/ISVPRODID [more flexible]

● How can a remote party know that a given key can be used exclusively by a given enclave?

20

SGX serviceattestation key ak

Enclave

generates pk

App Relying party

verifies attestation

Simple remote attestation

Platform with SGX has an “attestation” signing key ak, and Intel has certified it : platform_cert := signIntel(pub(ak))

pk

enclave_cert :=

signak

(pk, MRENCLAVE)

platform_cert, enclave_cert

{secret}pk

enclave_cert

{secret}pk

21

Privacy concern: not acceptable because RP can identify (using platform cert) which platform it is interacting with

This concern is not applicable if the attestation is that of a cloud service: cloud services do not require privacy

Solution 1: “Privacy CA” for provisioning ak

Solution 2: “Direct anonymous attestation” (DAA)

SGX serviceendorsement key ek

generate ak

Decrypt enc_ak_cert

Intel

check ek

Objection 1: privacy concern

pub(ak), ek

enc_ak_cert := {signIntel

(pub(ak))}ek

22

Intel would like to be able to revoke platform attestation keys if:

● Revocation based on private key:the private part is seen in the wild (e.g. published on the Internet), or

● Revocation based on signature:the key is perceived as signing erratically

Possible solutions

● Certificate revocation-list checking, or

● Short-lived certificates, that must be renewed periodically (e.g., every month)

Objection 2: revocation concern

23

Issuer: gpk, isk

Join: Pi obtains ski by interacting with issuer

Sign: σ = sign (m); or (if ski is revoked) σ =

Verify: Verify(gpk, m, PrivRL, SigRL, σ) = valid or invalid

Revoke:

● RevokePriv (gpk, ski)

– checks ski, and

– adds ski to PrivRL

● RevokeSig (gpk, PrivRL, m, σ)

– verifies σ, and

– adds σ to SigRL

EPID Signatures and Verification

ski

gpk, sigRL

24

Provisioning the attestation key

● A ‘provisioning enclave’ uses EGETKEY to obtain a symmetric ‘provisioning key’ which Intel can also compute

● It runs the EPID join protocol with Intel (protected by the provisioning key), obtaining its attestation signing key

● It uses EGETKEY to obtain a ‘provisioning seal key’ and stores the attestation key encrypted by the provisioning seal key

Remote attestation

25

Producing a REPORT

● The attesting enclave uses EREPORT to produce a report structure, MAC’d with a report key

● The report is passed to a quoting enclave

“Quoting” the report

● The quoting enclave uses EGETKEY to obtain a report key to check the report MAC

● It uses EGETKEY to obtain a provisioning seal key to decrypt the attestation key

● It uses the attestation key to sign the report (along with a received challenge)

Remote attestation

26

SGX service Enclave App Relying party

Simple remote attestation

27

SGX service Enclave App RP IAS

Intel’s remote attestation

28

S. M. Kim, J. Han, J. Ha, T. Kim, D. Han. Enhancing Security and Privacy of Tor’s Ecosystem by Using rusted Execution Environments. USENIX NDSI, 2017.

F. Schuster, M. Costa, D. Fournet, C. Gkantsidis, M. Peinado, G. Mainar-Ruiz, M. Russinovich. VC3: Trustworthy Data Analytics in the Cloud Using SGX. IEEE S&P, 2015.

M. D. Ryan. Making Decryption Accountable. 25th Security Protocols Workshop, Springer LNCS, 2017.

K. Severinson, M. D. Ryan, C. Johansen. Accountable Decryption Using Intel SGX. In preparation.

● Very small, short-lived enclave (no page caching)

SGX uses in research literature

29

SGX: a powerful architecture for managing secret data

+ Enables processing of data that cannot be read by anyone, except for code running in the enclave

+ Minimal TCB: nothing trusted except for x86 processor

+ Not suitable for applications involving user I/O, but well suited for cloud-based applications

- Hardware and side-channel attacks

- Requires interaction with Intel at three distinct points:

– Launch approval (by platform)

– Join protocol to obtain attestation key (by platform)

– Verify protocol to verify attestation (by relying party)

- Among other objections, this is privacy-invasive

Conclusions